NMAP Implements Security Checks on Enterprise Environments

Article Directory

Introduction to NMAP

Nmap is an open source, free Network Discovery and Security Auditing tool.
Nmap Features:
Host Probing: Probes for hosts on the network, such as listing hosts that respond to TCP and ICMP requests, ICMP requests, open special ports
Port Scan: Detects the open ports of the target host
Version Detection: Detect the network service of the target host and determine its service name and version number
System Detection: Detect the hardware characteristics of the target host's operating system and network devices
Supports probing scripting: using Nmap's scripting engine (NSE) and Lua programming language

Common Commands

1. Query segment internal online hosts

nmap -sP < TARGET >
Explanation of parameters:
< TARGET > can be a single address, segment, domain name
-sP ping check, results may not be accurate because the host pings are disabled
Output reference:

Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-13 22:40 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.2.1
Host is up (0.0020s latency).
MAC Address: F8:AA:78:05:AA:AA (Unknown)
Nmap scan report for 192.168.2.7
Host is up (0.035s latency).
MAC Address: 7C:AA:AB:AA:AA (Unknown)
Nmap scan report for 192.168.2.200
Host is up (0.0020s latency).
MAC Address: 00:AA:32:7D:AA:AA (Synology Incorporated)
Nmap done: 256 IP addresses (3 hosts up) scanned in 74.66 seconds
2. Scan open services for online hosts

nmap -sS -P0 -sV -O < TARGET >
Explanation of parameters:
< TARGET > can be a single address, segment, domain name
-sS TCP SYN scanning (also known as semi-open or invisible scanning) This parameter has fast scanning speed and high security
-P0 allows you to turn off ICMP pings.
-sV Open System Version Detection
-O Attempts to Identify Remote Operating System

Output reference:

Nmap scan report for 192.168.2.200
Host is up (0.0016s latency).
Not shown: 990 closed ports
PORT      STATE SERVICE     VERSION
80/tcp    open  http        nginx
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp   open  ssl/http    nginx
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
548/tcp   open  afp         Netatalk 3.1.8 (name: ZServer01; protocol 3.4)
4662/tcp  open  edonkey?
5000/tcp  open  http        nginx
5001/tcp  open  ssl/http    nginx
50001/tcp open  upnp        Portable SDK for UPnP devices 1.6.21 (Linux 3.2.40; UPnP 1.0)
50002/tcp open  http        lighttpd 1.4.43
MAC Address: 00:11:32:7D:FF:76 (Synology Incorporated)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Host: ZSERVER01; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel:3.2.40

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (1 hosts up) scanned in 127.95 seconds
3. Target host details

nmap -A < TARGET >
Explanation of parameters:
< TARGET > can be a single address, segment, domain name

Output reference:

Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-13 23:25 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.2.200
Host is up (0.0014s latency).
Not shown: 990 closed ports
PORT      STATE SERVICE     VERSION
80/tcp    open  http        nginx
|_http-server-header: nginx
|_http-title: Did not follow redirect to http://192.168.2.200:5000/
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp   open  ssl/http    nginx
|_http-server-header: nginx
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=synology.com/organizationName=Synology Inc./countryName=TW
| Not valid before: 2017-10-13T11:44:53
|_Not valid after:  2037-06-30T11:44:53
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg:
|_  http/1.1
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
548/tcp   open  afp         Netatalk 3.1.8 (name: ZServer01; protocol 3.4)
| afp-serverinfo:
|   Server Flags:
|     Flags hex: 0x8f79
|     Super Client: true
|     UUIDs: true
|     UTF8 Server Name: true
|     Open Directory: true
|     Reconnect: false
|     Server Notifications: true
|     TCP/IP: true
|     Server Signature: true
|     Server Messages: true
|     Password Saving Prohibited: false
|     Password Changing: false
|     Copy File: true
|   Server Name: ZServer01
|   Machine Type: Netatalk3.1.8
|   AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3, AFP3.4
|   UAMs: DHX2, DHCAST128
|   Server Signature: 8a2eb6e86AAAAAAAAAA38ac2
|   Network Addresses:
|     192.168.2.200
|_  UTF8 Server Name: ZServer01
4662/tcp  open  edonkey?
5000/tcp  open  http        nginx
| http-robots.txt: 1 disallowed entry
|_/
5001/tcp  open  ssl/http    nginx
|_http-server-header: nginx
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=synology.com/organizationName=Synology Inc./countryName=TW
| Not valid before: 2017-10-13T11:44:53
|_Not valid after:  2037-06-30T11:44:53
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
| tls-nextprotoneg:
|_  http/1.1
50001/tcp open  upnp        Portable SDK for UPnP devices 1.6.21 (Linux 3.2.40; UPnP 1.0)
50002/tcp open  http        lighttpd 1.4.43
|_http-server-header: lighttpd/1.4.43
|_http-title: 403 - Forbidden
MAC Address: 00:AA:32:7D:AA:AA (Synology Incorporated)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Host: ZSERVER01; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel:3.2.40

Host script results:
|_nbstat: NetBIOS name: ZSERVER01, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-03-13 23:27:17
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   1.44 ms 192.168.2.200

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 165.35 seconds
4. NES Script Scan

Nmap -sC < TARGET >
Explanation of parameters:
< TARGET > can be a single address, segment, domain name
-sC Default NES Script Scan

Output reference:

Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-13 23:27 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.2.200
Host is up (0.0043s latency).
Not shown: 990 closed ports
PORT      STATE SERVICE
80/tcp    open  http
|_http-title: Did not follow redirect to http://192.168.2.200:5000/
139/tcp   open  netbios-ssn
443/tcp   open  https
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=synology.com/organizationName=Synology Inc./countryName=TW
| Not valid before: 2017-10-13T11:44:53
|_Not valid after:  2037-06-30T11:44:53
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg:
|_  http/1.1
445/tcp   open  microsoft-ds
548/tcp   open  afp
| afp-serverinfo:
|   Server Flags:
|     Flags hex: 0x8f79
|     Super Client: true
|     UUIDs: true
|     UTF8 Server Name: true
|     Open Directory: true
|     Reconnect: false
|     Server Notifications: true
|     TCP/IP: true
|     Server Signature: true
|     Server Messages: true
|     Password Saving Prohibited: false
|     Password Changing: false
|     Copy File: true
|   Server Name: ZServer01
|   Machine Type: Netatalk3.1.8
|   AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3, AFP3.4
|   UAMs: DHX2, DHCAST128
|   Server Signature: 8a2eb6e8AAAAAAAAAAAAAA11ef0238ac2
|   Network Addresses:
|     192.168.2.200
|_  UTF8 Server Name: ZServer01
4662/tcp  open  edonkey
5000/tcp  open  upnp
5001/tcp  open  commplex-link
50001/tcp open  unknown
50002/tcp open  iiimsf
MAC Address: 00:11:32:7D:AA:AA (Synology Incorporated)

Host script results:
|_nbstat: NetBIOS name: ZSERVER01, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-03-13 23:28:22
|_  start_date: N/A

Nmap done: 1 IP address (1 host up) scanned in 110.96 seconds
5. Scan the local area network for Conficker worms

nmap -PN -T4 -p139,445 -n -v –script=smb-vuln-* –script-args safe=1 192.168.2.0/24
Explanation of parameters:
- script can be scanned through custom scripts, which are very powerful!

Output reference:

Nmap scan report for 192.168.2.10
Host is up (0.0090s latency).

PORT    STATE    SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
MAC Address: 6C:40:08:BB:B0:A2 (Apple)

Nmap scan report for 192.168.2.200
Host is up (0.0012s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:11:32:7D:FF:76 (Synology Incorporated)

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: No accounts left to try
|_smb-vuln-ms17-010: Could not connect to 'IPC$'
7. Mail Security Check
  • SMTP Weak Password
    nmap -p 25 --script smtp-brute.nse -v < SMTP Host >
  • SMTP User Name Enumeration
    nmap -p 25 --script smtp-enum-users.nse -v < SMTP Host >
  • POP Weak Password
    nmap -p 110 --script pop3-brute.nse -v < SMTP Host >
8. Database Security Check
  • MYSQL Weak Password
    nmap -p 3306 --script mysql-brute.nse -v < MYSQL Host >
  • MYSQL Export All Users
    nmap -p 3306 --script mysql-dump-hashes --script-args='username=root,password=root' < MYSQL Host >
  • Scan intra-segment MSSQL services
    nmap -p 1433 --script ms-sql-info.nse --script-args mssql.instance-port=1433 -v 192.168.2.0/24
  • MSSQL Service Weak Password and Empty Password in Scan Segment
    nmap -p 1433 --script ms-sql-empty-password.nse -v 192.168.2.0/24
    nmap -p 1433 --script ms-sql-brute.nse -v 192.168.2.0/24
  • Try remote xp-cmdshell execution with scanned account and password
    nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd=net user test test add 192.168.2.0/24
  • Scan intra-segment MSSQL services to export all users
    nmap -p 1433 --script ms-sql-dump-hashes -v 192.168.3.0/24
  • Scan Section for PostgreSQL Database Weak Passwords
    nmap -p 5432 --script pgsql-brute -v 192.168.2.0/24
  • Scan intra-segment Oracle database weak passwords
    nmap --script oracle-brute-stealth -p 1521 --script-args oracle-brute-stealth.sid=ORCL -v 192.168.2.0/24
    nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL -v 192.168.2.0/24
  • Scan Segment for Weak Mongodb Database Passwords
    nmap -p 27017 --script mongodb-brute 192.168.2.0/24
  • Scan Segment for Redis Database Weak Passwords
    nmap -p 6379 --script redis-brute.nse 192.168.2.0/24
8. Scan SNMP information within a segment

nmap -sU --script snmp-brute --script-args snmp-brute.communitiesdb=user.txt 192.168.2.0/24

9. LDAP Service Security Check in Scan Segment

nmap -p 389 --script ldap-brute --script-args ldap.base='cn=users,dc=cqure,dc=net' 192.168.2.0/24

10. HTTP-related security checks

nmap -p80 --script http-* 192.168.2.0/24

11. SMB-related security checks

nmap -p445 --script smb-vuln* 192.168.2.0/24

Common Ports and Penetration Risks

With the information scanned, we can enhance the likelihood of risks for common services.

151 original articles published. 8% praised. 10,000 visits+
Private letter follow

Tags: Linux Nginx network Mac

Posted on Fri, 13 Mar 2020 19:13:26 -0700 by jh_dempsey